I am about to learn CORS as a next step (my assumptions may be confirmed by others). What I have learned so far is that there is a sending part (like AJAX) and a receiving part (normally an API). If the both parts are at the same domain and port they are "Same Origin". If the receiving part is on a different port or domain, it may be prohibited to communicate by CORS policy.
As I have understand it, you can override this policy as long as you have control over both the sending and receiving part (API or what ever). Or the receiving part sends you a "key" to allow access you can communicate and override the CORS policy.